WIP: Set up step-ca
Unsure of the best way to setup bootstrapping the system. Do I run an ansible playbook to generate certificates offline and then bootstrap with that? Can I bring it online after and schedule with Nomad?
This commit is contained in:
parent
d38c6059f4
commit
a8181a5f29
@ -13,6 +13,12 @@ all:
|
||||
group: "bin"
|
||||
mode: "0755"
|
||||
read_only: false
|
||||
- name: step-ca-data
|
||||
path: /srv/volumes/step-ca-data
|
||||
owner: "root"
|
||||
group: "bin"
|
||||
mode: "0700"
|
||||
read_only: false
|
||||
# consul_auto_encrypt:
|
||||
# enabled: true
|
||||
# dns_san: ["services.thefij"]
|
||||
@ -31,3 +37,7 @@ all:
|
||||
vault_instances:
|
||||
children:
|
||||
servers: {}
|
||||
ca_servers:
|
||||
hosts:
|
||||
nomad0.thefij:
|
||||
step_path: /srv/volumes/step-ca-data
|
||||
|
1
nomad/ca/.gitignore
vendored
Normal file
1
nomad/ca/.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
step_path
|
19
nomad/ca/Makefile
Normal file
19
nomad/ca/Makefile
Normal file
@ -0,0 +1,19 @@
|
||||
STEPPATH ?= ./step_path
|
||||
|
||||
.PHONY: bootstrap
|
||||
bootstrap: $(STEPPATH)/config/ca.json
|
||||
|
||||
$(STEPPATH)/config/ca.json:
|
||||
env STEPPATH=$(STEPPATH) \
|
||||
step ca init \
|
||||
--ssh \
|
||||
--deployment-type standalone \
|
||||
--name TheFij \
|
||||
--dns ca.thefij.rocks \
|
||||
--address 0.0.0.0:9443 \
|
||||
--provisioner ian@iamthefij.com
|
||||
|
||||
.PHONY: run
|
||||
run: $(STEPPATH)/config/ca.json
|
||||
env STEPPATH=$(STEPPATH) \
|
||||
step-ca $(STEPPATH)/config/ca.json
|
35
nomad/ca/setup-ca.yml
Normal file
35
nomad/ca/setup-ca.yml
Normal file
@ -0,0 +1,35 @@
|
||||
---
|
||||
- name: Set up CA
|
||||
hosts: ca_servers
|
||||
become: true
|
||||
|
||||
tasks:
|
||||
- name: Create step_path
|
||||
file:
|
||||
path: "{{ step_path }}"
|
||||
state: directory
|
||||
owner: root
|
||||
mode: "0700"
|
||||
|
||||
- name: Install step-ca
|
||||
include_role:
|
||||
name: maxhoesel.smallstep.step_ca
|
||||
vars:
|
||||
step_ca_name: TheFij CA
|
||||
step_ca_root_password: ...
|
||||
step_ca_intermediate_password: ...
|
||||
step_cli_steppath: "{{ step_path }}"
|
||||
|
||||
- name: Read fingerprint
|
||||
command: "step-cli certificate fingerprint {{ step_path }}/certs/root_ca.crt"
|
||||
register: root_ca_fp
|
||||
|
||||
- name: Bootstrap other hosts
|
||||
hosts: servers
|
||||
|
||||
tasks:
|
||||
- name: Boostrap hosts to trust CA
|
||||
include_role:
|
||||
name: maxhoesel.smallstep.step_bootstrap_host
|
||||
vars:
|
||||
step_bootstrap_ca_url: http
|
Loading…
Reference in New Issue
Block a user